Here's a quick checklist of trainAbility recommendations for handling encrypted files:
- Always set folder encryption and then create files within the encrypted folder. Each file inside encrypted folder is encrypted with the creator's public key. Copying or moving an unencrypted file to an encrypted folder encrypts the file. Encrypted files retain their encryption status when moved or copied to other NTFS 5 volumes.
- Protect EFS files with NTFS permissions. EFS encrypts only the data portion of the file. Any user with adequate NTFS permissions can rename or delete an encrypted file.
- Encrypt temp folders and any folders where applications place temp or backup files. These files will be in clear text unless encrypted.
- Keep in mind that the system paging file and transaction log are not encrypted. Put a policy in place to delete the paging file at logoff. Keep in mind that an experienced hacker can still see the contents of the paging file even after the file is deleted. Piecing together a file from that information is a little like reconstructing a shredded document, but it isn't impossible.
- After changing any Group Policies affecting file encryption, restart member computers, or wait about 90 minutes for the changes to copy down to the local machines.